checkpointsw / charts Goto Github PK
View Code? Open in Web Editor NEWDeploy Kubernetes Helm Charts for Check Point CloudGuard
Home Page: https://portal.checkpoint.com/dashboard/cloudguard#/v2/home
License: MIT License
Deploy Kubernetes Helm Charts for Check Point CloudGuard
Home Page: https://portal.checkpoint.com/dashboard/cloudguard#/v2/home
License: MIT License
Is it possible to have a runAsUser for all of the securityContexts or is this not possible due to the access that this helm deployment requires? Ideally I would like to have all deployments within my cluster to run as a non-root user and for me to be able to specify the securityContext.runAsUser element.
Dear Developer,
For readability and Search Engine Optimization (SEO) it would be great if you could do the followings:
Recommended Topics:
Environments:
azure, aws, gcp
Functionality:
build, deploy, staging, operate, terraform, ansible, helm, android, cloudguardIaaS, management, gaia, threat-prevention, identity-awareness, smp, iot, cloudguard-connect, cloudguard-dome9, malware, evasion
Hi
So far, we can only set these common annotations in deployments:
Helper
{{- /* Pod annotations commonly used in agents */ -}}
{{- define "common.pod.annotations" -}}
agentVersion: {{ .agentConfig.tag }}
{{- /* Openshift does not allow seccomp - So we don't add seccomp in openshift case */ -}}
{{- /* From k8s 1.19 and up we use the seccomp in securityContext so no need for it here, in case of template we don't know the version so we fall back to annotation */ -}}
{{- if and (not (contains "openshift" (include "get.platform" .))) (semverCompare "<1.19-0" .Capabilities.KubeVersion.Version ) }}
seccomp.security.alpha.kubernetes.io/pod: {{ .Values.podAnnotations.seccomp }}
{{- end }}
{{- if .Values.podAnnotations.apparmor }}
container.apparmor.security.beta.kubernetes.io/{{ template "agent.resource.name" . }}:
{{ toYaml .Values.podAnnotations.apparmor | indent 2 }}
{{- end }}
{{- end -}}
Deployment
annotations:
{{ include "common.pod.annotations" $config | indent 8 }}
It would be nice to be able to add custom annotations. In my case, I want to configure the mutating webhook of Bank-Vaults through the annotations to inject my Cloudguard credentials retrieved from Vault directly into the pods.
Would it be possible to implement this?
Thanks a lot.
Greetings.
Runtime Protection agents need connectivity to http://mirrors.edge.kernel.org/ for downloading kernel packages. NGFW intercept the package being downloaded and fail the download if vulnerable packages are identified. Can this be switched to a secure URL so NGFW is not able to knock down the download of required kernel package? Below outputs using both http and https URL.
$ wget http://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/linux-4.14.238.tar.gz
Connecting to mirrors.edge.kernel.org (139.178.84.19:80)
saving to 'linux-4.14.238.tar.gz'
linux-4.14.238.tar.g 69% |************************************************************************************* | 103M 0:00:12 ETAwget: read error: Connection reset by peer
$ wget https://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/linux-4.14.238.tar.gz
Connecting to mirrors.edge.kernel.org (139.178.84.19:443)
saving to 'linux-4.14.238.tar.gz'
linux-4.14.238.tar.g 100% |****************************************************************************************************************************| 149M 0:00:00 ETA
'linux-4.14.238.tar.gz' saved
Hello!
I'm running an EKS cluster with Bottlerocket AMIs having a Linux kernel of 5.10.102. I've deployed the 2.10.2 chart and am noticing a couple of issues. Here is one of them, the probe version it's attempting to download doesn't exist in the destination bucket.
consec-runtime-probe:0.27.1-cp-1 logs:
* Mounting debugfs
mount: /sys/kernel/debug: permission denied.
Found kernel config at /proc/config.gz
* Trying to compile BPF probe sysdig-probe-bpf (sysdig-probe-bpf-0.27.1-x86_64-5.10.102-0e3028d3e641dd8c5e4e9eed25c2a797.o)
make: Entering directory '/usr/src/sysdig-0.27.1/bpf'
make -C /lib/modules/5.10.102/build M=$PWD
make[1]: Entering directory '/host/usr/src/kernels/5.10.102'
DESCEND objtool
HOSTCC /host/usr/src/kernels/5.10.102/tools/objtool/fixdep.o
fixdep.c:170:1: fatal error: opening dependency file /host/usr/src/kernels/5.10.102/tools/objtool/.fixdep.o.d: Permission denied
}
^
compilation terminated.
make[5]: *** [/host/usr/src/kernels/5.10.102/tools/build/Makefile.build:97: /host/usr/src/kernels/5.10.102/tools/objtool/fixdep.o] Error 1
make[4]: *** [Makefile:41: /host/usr/src/kernels/5.10.102/tools/objtool/fixdep-in.o] Error 2
make[3]: *** [/host/usr/src/kernels/5.10.102/tools/build/Makefile.include:5: fixdep] Error 2
make[2]: *** [Makefile:68: objtool] Error 2
make[1]: *** [Makefile:1925: tools/objtool] Error 2
make[1]: Leaving directory '/host/usr/src/kernels/5.10.102'
make: *** [Makefile:18: all] Error 2
make: Leaving directory '/usr/src/sysdig-0.27.1/bpf'
mv: cannot stat '/usr/src/sysdig-0.27.1/bpf/probe.o': No such file or directory
* Trying to download precompiled BPF probe from https://download.sysdig.com/stable/sysdig-probe-binaries/sysdig-probe-bpf-0.27.1-x86_64-5.10.102-0e3028d3e641dd8c5e4e9eed25c2a797.o
I'm not sure how to proceed here.
Hello,
I recently followed the deployment process to add dome9 cloudguard to my Azure Kubernetes Cluster but ran into an issue that is causing the deployment to fail.
The command I used for the helm deployment is:
helm install asset-mgmt cloudguard --repo https://raw.githubusercontent.com/CheckPointSW/charts/master/repository/ --set credentials.user=00000-00000-00000-00000 --set credentials.secret=00000-00000-00000-00000 --set clusterID=undefined --set addons.imageScan.enabled=true --set addons.admissionControl.enabled=true --namespace dome9 --create-namespace
And when I look at the pods and logs I get the following:
Can I get some help with the deployment and if I am doing it right?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.